siteprotector technical reference guide - ibm · technical reference guide version 2.0, ... asset...

®

Proventia Management SiteProtector™

Technical ReferenceGuide

Version 2.0, Service Pack 6

Internet Security Systems, Inc.6303 Barfield RoadAtlanta, Georgia 30328-4233United States(404) 236-2600http://www.iss.net

© Internet Security Systems, Inc. 1994-2005. All rights reserved worldwide. Customers may make reasonable numbers of copies of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any other person or entity without the express prior written consent of Internet Security Systems, Inc.

Patent pending.

Internet Security Systems, System Scanner, Wireless Scanner, SiteProtector, ADDME, AlertCon, ActiveAlert, FireCell, FlexCheck, Secure Steps, SecurePartner, SecureU, and X-Press Update are trademarks and service marks, and the Internet Security Systems logo, X-Force, SAFEsuite, Internet Scanner, Database Scanner, Online Scanner, Proventia, and RealSecure registered trademarks, of Internet Security Systems, Inc. Network ICE, ICEpac, and ICEcap are trademarks, and BlackICE is a licensed trademark, of Network ICE Corporation, a wholly owned subsidiary of Internet Security Systems, Inc. SilentRunner is a registered trademark of Raytheon Company. Acrobat and Adobe are registered trademarks of Adobe Systems Incorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM Corporation. Intel and Pentium are registered trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software, and the Seagate logo are trademarks or registered trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a registered trademark of Tivoli Systems Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. All other trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications are subject to change without notice.

Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. ISS and the X-Force disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems, Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems, Inc., and shall not be used for advertising or product endorsement purposes.

Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email with the topic name, link, and its behavior to [email protected].

March 09, 2006

http://www.iss.net

mailto:[email protected]

Contents

Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5How to Use SiteProtector Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Conventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Getting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 1: Diagnostic and Debugging SetupOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Running the Sensor Controller as a Java Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Setting up Run-time Logging for the Sensor Controller Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Setting up Run-Time Logging for the Application Server Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 2: Log File DiagnosticsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Section A: Miscellaneous Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Application Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Database Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Installation Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21X-Press Update Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Active Directory Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Section B: Application Server Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Application Server and Sensor Controller Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Changing Log4j Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Section C: Sensor Controller Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Sensor Controller Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Sensor Controller SiteProtector Database Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Sensor Controller SiteProtector Core Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Sensor Controller Event Collector Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Sensor Controller Agent Manager Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Sensor Controller Internet Scanner Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Sensor Controller A-Series Appliance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Sensor Controller G-Series Appliance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Sensor Controller RealSecure Network Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Sensor Controller RealSecure Network Gigabit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Sensor Controller Server Sensor Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Sensor Controller SiteProtector Third Party Module Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Section D: Agent Manager Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Agent Manager Desktop Protection Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Desktop Controller M-Series Appliance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

3Technical Reference Guide Version 2.0, SP6

Contents

Appendix A: Database SchemaOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Application Security Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Asset Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Auditing and Diagnostics Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Command and Control Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Grouping Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56ITRSO Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Mail Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Metrics Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Sensor Data Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Site Analysis Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Site Filters Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Staging and Rejects Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Statistics Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Ticketing Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65X-Force Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Complete Database Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

4

Preface

Overview

Introduction The SiteProtector Technical Reference Guide describes the diagnostic capabilities of SiteProtector, and also gives recommendations for some of the issues you may encounter as you use SiteProtector.

Scope The Technical Reference Guide contains information about diagnostic and debugging setup, log files, and database schematics. Chapter one explains the options for setting up the Sensor Controller Diagnostics console and how to activate run-time debugging for the sensor controller and the application server. Chapter two includes most of the SiteProtector log files, which can help you identify and correct problems with components or agents. Although the chapter is not a comprehensive list of all SiteProtector log files, it contains those files that will most likely be of use for your implementation. The Appendix contains the SiteProtector database schematics.

Audience This guide is for network administrators, security administrators, or any other individuals who are responsible for installing SiteProtector and managing network security.


Preface

How to Use SiteProtector Documentation

Using this guide This guide includes some of the issues that you may encounter when working with SiteProtector, but it is not a troubleshooting guide.

Reference: For the most up-to-date list of SiteProtector issues, see the ISS Knowledgebase at http://www.iss.net/support/knowledgebase/. If the Knowledgebase does not help you resolve your issue, email ISS Customer Support at [email protected] or call ISS Customer Support at (1) (888) 447-4861.

Related publications The following table describes other SiteProtector user documents:

Document Contents

SiteProtector Installation Guide

Provides the tasks for installing SiteProtector components and optional modules. It includes information about advanced configuration tasks such as hardening third-party software security, securing database communication, configuring firewalls for SiteProtector traffic, and configuring failover Event Collectors.

SiteProtector Best Practices Guide

Contains the following:

• combines the various contexts of each ISS product (Internet Scanner, Network sensor, Server, System Scanner, BlackICE agents) into a unified protection strategy

• shows security professionals how to deploy ISS products, maintain protection, and tune, expand and update their protection over time using security best practices

• simplifies the process of planning and assessment by providing four protection models that managers can easily tailor to their environment

• presents information that is high level and modular enough to accommodate product changes without significant maintenance

SiteProtector Help Contains all the procedures that you need to use SiteProtector, including advanced procedures that may not be available in a printed user document.

SiteProtector User Guide for Security Managers

Contains the information a Security Manager needs to configure, update, and maintain SiteProtector.

Table 1: Description of SiteProtector user documents

6

http://www.iss.net/support/knowledgebase/

http://www.iss.net/support/knowledgebase/

Conventions Used in this Guide

Conventions Used in this Guide

Introduction This topic explains the typographic conventions used in this guide to make information in procedures and commands easier to recognize.

In procedures The typographic conventions used in procedures are shown in the following table:

Command conventions

The typographic conventions used for command lines are shown in the following table:

Convention What it Indicates Examples

Bold An element on the graphical user interface.

Type the computer’s address in the IP Address box.Select the Print check box. Click OK.

SMALL CAPS A key on the keyboard. Press ENTER.Press the PLUS SIGN (+).

Constant width

A file name, folder name, path name, or other information that you must type exactly as shown.

Save the User.txt file in the Addresses folder.Type IUSR__SMA in the Username box.

Constant width italic

A file name, folder name, path name, or other information that you must supply.

Type Version number in the Identification information box.

A sequence of commands from the taskbar or menu bar.

From the taskbar, select Start Run.On the File menu, select Utilities Compare Documents.

Table 2: Typographic conventions for procedures

Convention What it Indicates Examples

Constant width bold

Information to type in exactly as shown.

md ISS

Italic Information that varies according to your circumstances.

md your_folder_name

[ ] Optional information. dir [drive:][path] [filename] [/P][/W] [/D]

| Two mutually exclusive choices.

verify [ON|OFF]

{ } A set of choices from which you must choose one.

% chmod {u g o a}=[r][w][x] file

Table 3: Typographic conventions for commands


Preface

Getting Technical Support

Introduction ISS provides technical support through its Web site and by email or telephone.

The ISS Web site The Internet Security Systems (ISS) Resource Center Web site (http://www.iss.net/support/) provides direct access to online user documentation, current versions listings, detailed product literature, white papers, and the Technical Support Knowledgebase.

Support levels ISS offers three levels of support:

● Standard

● Select

● Premium

Each level provides you with 24x7 telephone and electronic support. Select and Premium services provide more features and benefits than the Standard service. Contact Client Services at [email protected] if you do not know the level of support your organization has selected.

Hours of support The following table provides hours for Technical Support at the Americas and other locations:

Contact information The following table provides electronic support information and telephone numbers for technical support requests:

Location Hours

Americas 24 hours a day

All other locations

Monday through Friday, 9:00 A.M. to 6:00 P.M. during their local time, excluding ISS published holidays

Note: If your local support office is located outside the Americas, you may call or send an email to the Americas office for help during off-hours.

Table 4: Hours for technical support

Regional Office

Electronic Support Telephone Number

North America Connect to the MYISS section of our Web site:

www.iss.net

Standard:(1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Select and Premium:Refer to your Welcome Kit or call your Primary Designated Contact for this information.

Latin America [email protected] (1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Table 5: Contact information for technical support

8

http://www.iss.net/support/

http://www.iss.net/support/


http://www.iss.net


Getting Technical Support

Europe, Middle East, and Africa

[email protected] (44) (1753) 845105

Asia-Pacific, Australia, and the Philippines

[email protected] (1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Japan [email protected] Domestic: (81) (3) 5740-4065

Regional Office

Electronic Support Telephone Number

Table 5: Contact information for technical support (Continued)





Preface

10

Chapter 1

Diagnostic and Debugging Setup

Overview

Introduction This chapter explains the options for setting up the Sensor Controller Diagnostics console and how to activate run-time debugging for the sensor controller and the application server.

Options for running the sensor controller

By default, the sensor controller runs as a service without the Sensor Controller Diagnostics console. When you run the Sensor Controller Diagnostics console, you can run the sensor controller either as a service or as a Java application.

● If you are only logging agent data, you can use either method.

● If you are unable to start the sensor controller as a service, you can start it as a Java application. Starting the sensor controller as a Java application is also quicker.

Log information For information about the debug logs for the sensor controller and the application server, see the following:

● “Application Server and Sensor Controller Logs” on page 28

● “Changing Log4j Logging Levels” on page 29

Where to find the Sensor Controller Diagnostics console

The Sensor Controller Diagnostics console is installed with the sensor controller and the application server. The instructions for setting up the Sensor Controller Diagnostics console reference the default installation paths. If you installed SiteProtector components to other paths, you must use those instead.

In this chapter This chapter contains the following topics:

Section Page

Running the Sensor Controller as a Java Application 12

Setting up Run-time Logging for the Sensor Controller Service 13

Setting up Run-Time Logging for the Application Server Service 14


Chapter 1: Diagnostic and Debugging Setup

Running the Sensor Controller as a Java Application

Introduction When you run the sensor controller as a Java application, you start the Sensor Controller Diagnostics console and the run-time debug log together from a command prompt window.

Note: When you set up the Sensor Controller Diagnostics console, you also activate the run-time debug logs for the sensor controller.

Procedure To run the sensor controller as a Java application:

1. Access the Services utility on your computer.

2. Select the SiteProtector Sensor Controller service, and then click Stop.

3. Access the Command Prompt.

4. Change directories to \Program Files\ISS\SiteProtector\Application Server\bin.

5. Type ccengine –debug, and then press ENTER.

The Sensor Controller Diagnostics console appears.

12

Setting up Run-time Logging for the Sensor Controller Service

Setting up Run-time Logging for the Sensor Controller Service

Introduction You can start Sensor Controller logging using the SiteProtector Core Agent Properties. Logging priority levels, in decreasing order of logging detail, are as follows:

● None

● Error

● Warn

● Notice

● Info

● Debug

● Full

Procedure To start logging for the Sensor Controller:

1. From the Agent view, right click on the SiteProtector Core, and then select Properties.The Properties tab appears.

2. Click the Agent Properties icon, and then click Edit Agent Properties.

3. Click Advanced.

4. Select a Sensor controller trace level from the drop-down menu, and then click OK.

5. Click OK.


Chapter 1: Diagnostic and Debugging Setup

Setting up Run-Time Logging for the Application Server Service

Introduction When you enable run-time logging for the application server, it continues to run as a service. The run-time logging information appears in a separate Command Prompt window.

Procedure To set up run-time logging for the application server:

1. Click Start on the taskbar, and then select Settings Control Panel.

2. Double-click the Administrative Tools icon, and then double-click the Component Services icon.

3. In the left pane of the Component Services window, select Services.

4. In the right pane, select SiteProtector Application Server Service, and then click Stop.

5. Right-click SiteProtector Application Server, and then select Properties from the pop-up menu.

6. Select the Log On tab, select the Allow service to interact with desktop check box, and then click OK.

Tip: Do not close the Services window.

7. Click Start on the taskbar, and then select Run.

8. Type regedit, and then press ENTER.

The Registry Editor appears.

9. In the left pane, select HKEY_LOCAL_MACHINE SYSTEMCurrentControlSet Services issSPAppService Parameters.

10. In the right pane, double-click ConsoleTrace, type Y in the Value data box, and then click OK.

11. In the Component Services window, select SiteProtector Application Server, and then click Start.

14

Chapter 2

Log File Diagnostics

Overview

Introduction Log files can help you identify and correct problems with components or agents. This chapter provides the following types of information:

● the path of the file

● file contents

● how to change logging levels

● how to view the log

Viewing logs Most log files are text files that you can open with a standard text file editor. If a different method is needed for a particular log file, it is explained with the description of that log.

Important: Be sure to use a text editor that can handle large files.

In this chapter This chapter contains the following sections:

Topic Page

Miscellaneous Logging Information 17

Application Server Logging Information 27

Sensor Controller Logging Information 31

Agent Manager Logging Information 45


Chapter 2: Log File Diagnostics

16

SECTION A: Miscellaneous Logging Information

Overview

Introduction This section gives logging information related to various SiteProtector processes and components.

In this section This section contains the following topics:

Topic Page

Application Server Logs 18

Database Logs 20

Installation Logs 21

X-Press Update Logs 23

Active Directory Logs 25



Application Server Logs

Introduction This topic describes the log and configuration files that the application server uses:

● application server log files

● issDaemon logs

How log files are created on the application server

When you issue a command that displays or modifies a property, response, or policy file for an agent or core component, SiteProtector sends log files to the computer where the application server is running.

Location of application server logs

The path of the application server log files is \Program Files\ISS\SiteProtector\Application Server\temp\AppServer.

Setting logging levels

The logging level determines the type and amount of system information that SiteProtector stores. To set logging levels for the application server logs:

● In the Sensor Controller Diagnostics console, right-click the SiteProtector Core component in the Sensor window.

Important: The application server does not use dynamic logging, so changes to the logging levels do not take effect until you restart the Application Server service.

Characteristics of application server logs

The following characteristics apply to all application server log files:

● The system overwrites a log file each time you restart the sensor controller.

● The amount of detail collected depends on the current trace level.

Note: The log files can quickly become very large when the logging level is high.

Description of log files

Table 6 describes the application server logs:

Location of issDaemon logs

Logging information is available for each issDaemon with which the application server communicates. The path is \Program Files\ISS\SiteProtector\Application Server\temp\AppServer\[email protected]

Note: The issDaemon log files are always available regardless of the trace level.

File name Description

Issdk.txt Logs high-level activity detailing application server interaction with all issDaemons

IssdkComm.txt Logs low-level communication activity between the application server and issDaemons

IssdkInterface.txt Logs low-level application server activity

Table 6: Application Server logs

18

Application Server Logs


Table 7 describes the issDaemon log files:

File Name Description

[email protected] Copy of iss.access located at specified IP address

[email protected] Copy of common.policy located at specified IP address

[email protected] Copy of issDaemon.policy located at specified IP address

Table 7: issDaemon and application server communication logs



Database Logs

Introduction Database log information, such as errors, number of rows loaded, number of rows rejected, and reasons for rows rejected, is logged to the messagelog table in the SiteProtector database.

Viewing database logs

Use Microsoft SQL Server Enterprise Manager or Query Analyzer to view the messagelog table.

Default logging level The default logging level is set to Informational. This level logs a limited set of significant events.

Changing the logging level

You can use the Sensor Details feature in the SiteProtector Console to change the logging level.

Recommendations for increased logging detail

Increasing the logging levels for an extended period of time can quickly fill the database. Use the following recommendations when increasing logging detail:

● Increase the logging levels (i.e., set the logging level to Full) for short intervals as needed to gather detailed information.

● Reset the trace level to Warnings after you finish collecting detailed information.

Truncate this table after extended debugging, as well as during normal tracing, if the table becomes too large.

20

Installation Logs

Installation Logs

Introduction The SiteProtector installation process generates a log file for each SiteProtector component you install. It also creates a detailed log file for each bulk copy of data loaded into a particular table on the SiteProtector database. The log files contain a line of text for each action taking place.

Location of log files Table 8 provides the path of the log files on the computer where each component is installed:

Log files created during installation

The log files created during installation depend on the type of installation (Basic or Custom). Table 9 contains the installation log files that may be generated during installation:

Log Files Folder

Component log files for installation \temp\iss

SiteProtector database table bulk copy log files

\temp\iss\bulk copy logs

Table 8: Location of general and SiteProtector database log files

This log file... Is created by...

Application_Server_Setup_Log.txt Application Server installation

Console_Setup_Log.txt Console installation

Site_Database_Setup_Log.txt Database installation

Event_Collector_Setup_Log.txt Event Collector installation

Desktop_Controller_Setup_Log.txt Desktop Controller installation

Deployment_Manager_setup_log.txt Deployment Manager installation

DMInstallAgent_YYYYMMDD_HHMMSS.txt DMInstallAgent program for a Basic installation from CD

DMInstallAgent_YYYYMMDD_HHMMSS.txt DMInstallAgent program for a Basic installation

DMInstallAgent_YYYYMMDD_HHMMSS.txt DMInstallAgent program for installation of the Console

DMInstallAgent_YYYYMMDD_HHMMSS.txt DMInstallAgent program for part 1 of the Custom installation

DMInstallAgent_YYYYMMDD_HHMMSS.txt DMInstallAgent program for part 2 of the Custom installation

All_Components_Log.txt User clicking Yes to the “Do you want to view the log file?” prompt on the message box.

Table 9: Log files that may be created at installation



Component log files for uninstallation

Log files are always created when you uninstall SiteProtector. The names of the log files are the same as those created during installation, but the contents are overwritten with the uninstallation process information if the original log files still exist.

Note: If error or warning messages occur during the installation process, and you want to save these messages for troubleshooting purposes, then rename the log files before you uninstall the application.

Viewing the component log files

If an error or warning occurs during the installation or uninstallation process in normal mode, the View Log File check box on the Finish window at the end of the process will be checked by default. This enables you to easily view the log file contents to determine the reason for the error or warning.

To view the component installation logs:

1. Click OK on the Finish window.

The Finish window closes and Notepad opens, displaying the contents of the installation/uninstallation log file.

2. View the errors and/or warnings in the log file to determine how to resolve the problem.

SiteProtector database table bulk copy log files

Approximately 50 pairs of log files are generated for each bulk copy that is created and populated for the SiteProtector database. Table 10 describes those pairs of log files:

Note: Statistics for the number of rows copied for every bulk copy file that was installed or uninstalled are included in the Enterprise_Database_Setup_Log.txt file. This file provides a single source for you to quickly determine which error messages or warnings have occurred.

Table Name Description

tablename_ Table_BulkCopy_Log.txt

Statistics related to bulk copy process used to create the database table (e.g., source, destination, number of rows copied, duration)

tablename_Table_BulkCopy_ErrorLog.txt

File is empty unless errors have occurred

Table 10: SiteProtector database log descriptions

22

X-Press Update Logs

X-Press Update Logs

Introduction You can generate log files to track the details of X-Press Update (XPU) activities for the application server and the sensor controller.

Contents of the log The X-Press Update log file contains details of X-Press Update downloading activity and the overall X-Press Update status.

● This high-level log file contains details about XPU activity.

● The file is overwritten each time the application server or the sensor controller restarts.

● The amount of detail depends on current trace level.

Note: This file can quickly become large when logging level is high.

Location of log files Table 11 provides the paths of the X-Press Update log files:

Setting the X-Press Update logging level for the Application Server and Sensor Controller

To change the X-Press Update logging level for the Application Server and Sensor Controller:

1. On the Agent view, right-click the SiteProtector Core, and then select Properties from the pop-up menu.The Properties tab appears.

2. Select the Agent Properties icon, and then click Edit Agent Properties.The SiteProtector Core Properties window appears.

3. Select the X-Press and Product Update tab, and then click Advanced.

4. In the Tracing area, select a logging level from the X-Press Update trace level drop-down menu, and then click OK.

5. Click OK.

Setting the logging level for the X-Press Update Server

To set the logging level for the X-Press Update Server:

1. On the Agent view, right-click the X-Press Update Server, and then select Manage Policy from the pop-up menu.The Policy tab appears.

2. In the right pane, right-click Server Settings, and then select Open Policy from the pop-up menu.

3. In the Logging area, select a logging level from the Level drop-down menu.

Component X-Press Update log file path and name

sensor controller \Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\Xpu.txt

update server \Program Files\ISS\SiteProtector\Application Server\webserver\Apache 2\htdocs\XPU\UpdateServer.log

Table 11: X-Press Update log file locations



4. Click the Save All icon, and confirm your changes if prompted.

5. If the Force Update window appears, click Yes to force agents to update this policy.

6. Close the Policy tab.

24

Active Directory Logs

Introduction The SiteProtector application generates Active Directory log files that can give you information about specific jobs and help you troubleshoot issues with your SiteProtector Active Directory listing.

Location of log files You can find the Active Directory log files in the following location:

\Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\SP [email protected]\Job_job number

Note: If you are using the Custom Installation, the Active Directory log files are located on your application server.


Table 12 provides the names and descriptions of the Active Directory log files:

Setting the Active Directory logging level

The Active Directory Update job sets its logging level from the SiteProtector Core logging level. To set the Active Directory logging level:

1. From the Agent view, right-click SiteProtector Core, and then select Properties from the pop-up menu.

The Properties tab opens.

2. Click the Agent Properties icon, and then click Edit Agent Properties.The SiteProtector Core Properties window appears.

3. Click Advanced.

The Advanced SiteProtector Core Properties window appears.

4. In the Sensor controller trace level drop-down list, select the logging level you want.

5. Click OK.

6. Click OK.

Log file name Description

warnings.csv • lists hosts that were not added to the SiteProtector Active Directory listing

• provides information about why a host was not added to the SiteProtector Active Directory listing

• generated only when logging is set to Warn or higher

JobLog.txt • lists system-related information

• generated with any logging level, except None

• generated when a system error occurs

Table 12: Active Directory log file locations



26

Overview

SECTION B: Application Server Logging Information

Overview

Introduction This section provides Application Server logging information, and also gives information about using the log4j tool to set logging levels.


Topic Page

Application Server and Sensor Controller Logs 28

Changing Log4j Logging Levels 29



Application Server and Sensor Controller Logs

Introduction You can view the application server and sensor controller log4j logs in the following ways:

● as a text file in a standard text editor

● in the Windows 2000 Event Viewer Application Log

Location of log files Table 13 provides the paths of the run-time logs on the computer that hosts the application server and sensor controller.

Viewing from a text file

To view the log:

● Open the log file for application server or the sensor controller with any text file editor that can edit large files.

Viewing from the event viewer

Events generated by the application server and the sensor controller are logged to the Application Log in the Windows Event Viewer. The Source names for the events are issSPAppService and issSPSenCtlService.

To view the events from the Windows Event Viewer Application Log:

1. Click Start on the taskbar, and then select Programs Administrative Tools.

2. Double-click the Component Services icon.

3. In the Component Services window, expand Event Viewer, and then select the Application log.

4. In the right pane of the Source column, look for issSPAppService and issSPSenCtlService.

Tip: Click the Source column to sort the list.

Component and file path File Names

Application server

\Program Files\ISS\SiteProtector\Application Server\temp\

• server.log

• cas.log

• web.log

• iss-services.log

Sensor controller

\Program Files\ISS\SiteProtector\Application Server\temp\

• sensor_ctl.time_stamp.log

Table 13: Log file locations

28

Changing Log4j Logging Levels

Introduction This topic describes logging levels for log4j logs. These logging levels apply to the Application Server only. Methods for viewing log4j logs are explained in “Application Server and Sensor Controller Logs” on page 28.

Logging levels The log4j tool provides five priority levels of logging detail. (See non-ISS documentation at http://jakarta.apache.org/log4j/docs/manual.html.) The default logging level is set to fatal, which only logs very serious errors.

Priority levels, in decreasing order of logging detail, are as follows:

● DEBUG

● INFO

● WARN

● ERROR

● FATAL

Recommendations for logging detail

Increasing the logging levels for an extended period of time can quickly fill the log file. Follow these recommendations when increasing logging detail:

● Increase the logging levels for short intervals as needed to gather detailed information.

● Delete the log files at any time, as they can quickly become large.

● Check the log4j documentation for procedures that automatically roll the logs into manageable sizes.

Where the logging level is set

The logging level is set in a log4j configuration file for the Application Server, located here:

\Program Files\ISS\SiteProtector\Application Server\webserver\jboss\server\default\conf\log4j.xml

Important: The file must be present before any logging takes place.

Log file description Table 14 provides a description of each Application Server log file.

File name Appender name Description of log detail

server.log SITEPROTECTOR General Application Server logging

cas.log CAS Central Responses and Component Responses

web.log WEB SiteProtector Web Access server and Deployment Manager

iss-services.log ISS_SERVICES Agent task services

Table 14: Log file descriptions


http://jakarta.apache.org/log4j/docs/manual.html

http://jakarta.apache.org/log4j/docs/manual.html


Changing the logging level

To change the logging level:

1. In Notepad or an equivalent text editor, open the log4j configuration file for the application server (log4j.xml).

2. Find the logging category you are interested in changing as described in Table 14. For example, to change general application server logging, locate the following category by its appender name “SITEPROTECTOR”:<category name="net.iss"><priority value="LOGGING_LEVEL"/><appender-ref ref=”SITEPROTECTOR”/></category>

Note: The LOGGING_LEVEL value is one of the five possible logging levels.

3. Replace the logging level with another available logging level.

Example: Change the logging level from ERROR to DEBUG.

4. Save the file.

30

Overview

SECTION C: Sensor Controller Logging Information

Overview

Introduction This section lists SiteProtector logging information for components that are managed with the sensor controller.


Topic Page

Sensor Controller Logs 32

Sensor Controller SiteProtector Database Logs 33

Sensor Controller SiteProtector Core Logs 34

Sensor Controller Event Collector Logs 35

Sensor Controller Agent Manager Logs 36

Sensor Controller Internet Scanner Logs 37

Sensor Controller A-Series Appliance Logs 38

Sensor Controller G-Series Appliance Logs 39

Sensor Controller RealSecure Network Logs 40

Sensor Controller RealSecure Network Gigabit Logs 41

Sensor Controller Server Sensor Logs 42

Sensor Controller SiteProtector Third Party Module Logs 43



Sensor Controller Logs

Introduction This topic introduces log and configuration files that the sensor controller uses:

● the log files for the sensor controller

● the configuration and log files for the agents and SiteProtector components with which the sensor controller communicates

How sensor controller logging works

When you issue a command that displays or modifies a property, response, or policy file for an agent or core component, SiteProtector sends log files to the computer where the sensor controller is running.

Location of log files The path of the files is as follows:

Program Files\ISS\SiteProtector\Application Server\temp

Dynamic logging levels

Changes to the logging levels are dynamic. You do not have to restart the sensor controller service for the changes to go into effect.

Common characteristics

The following common characteristics apply to all sensor controller log files:

● The log file is overwritten each time you restart the sensor controller, but only if the logging level is not full. If the logging level is full, then SiteProtector appends the file.

● The amount of detail collected depends on current trace level.

Note: The log files can quickly become large when the logging level is high.


Table 15 describes the log files for the sensor controller:

Changing logging levels for agents

To change the logging levels:

1. From the Agent view, right-click the agent, and then select Properties from the pop-up menu.The Properties tab opens.

2. Select the desired logging level in the Sets new agent logging level drop-down list.

3. Close the Properties tab.

Log File Name Description

Issdk.txt Logs high-level activity detailing sensor controller interaction with all agents and core components

IssdkComm.txt Logs low-level communication activity between the sensor controller and agents

IssdkInterface.txt Logs low-level sensor controller activity

Table 15: Sensor controller dynamic log files

32

Sensor Controller SiteProtector Database Logs

Sensor Controller SiteProtector Database Logs

Introduction The SiteProtector database files contain information related to the SiteProtector database located at the given IP address. The path of the log file is \Program Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor Controller\SP [email protected].

Note: If the trace level is set to 0, and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the SiteProtector database is:

\Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\SP [email protected]\Job_job_number


Table 16 describes the SiteProtector database log file:


Site Protector [email protected]

• low-level log file detailing sensor controller interaction with SiteProtector database component (i.e., XPU activity)

• overwritten each time sensor controller restarts

• amount of detail depends on current logging level

Table 16: SiteProtector database log files



Sensor Controller SiteProtector Core Logs

Introduction The SiteProtector Core log files contain information related to the sensor controller located at the given IP address. The path of the log files is \Program Files\ISS\SiteProtector\Application Server\temp.

Note: The format of the log file is: sensor_ctl.time_stamp.log


Table 17 describes the SiteProtector Core log files


sensor_ctl.time_stamp.log • generated file containing runtime debug information

• new file created each time sensor controller service restarts


Table 17: SiteProtector Core log files

34

Sensor Controller Event Collector Logs

Sensor Controller Event Collector Logs

Introduction The default path of configuration files for the event collector at the given IP address is \Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\[email protected]. The default installation path of the event collector is \Program Files\ISS\SiteProtector\Event Collector.

Note: If the trace level is set to 0, and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the event collector is:

\Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\[email protected]\Job_job_number


Table 18 describes the event collector log files:

Log File Names Description

EventCollector_ [email protected]

• copy of common.policy located at specified IP address

• always available

• independent of logging level


• copy of issDaemon.policy located at specified IP address




• copy of current.policy located at specified IP address




• copy of ec_status.policy (located at specified IP address) that details the Event Collector control list and status information




• generated file containing runtime configuration information

• overwritten each time sensor controller restarts but is independent of logging level


• cached file of user modifications to properties



• generated file containing runtime debug information detailing interaction between sensor controller and event collector



Table 18: Event collector log files



Sensor Controller Agent Manager Logs

Introduction The default path of configuration files for the Agent Manager (formerly Desktop Controller) at the given IP address is \Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\Agent [email protected]. The default installation path of the Agent Manager is \Program Files\ISS\SiteProtector\Agent Manager.

Note: If the trace level is set to 0, and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the Agent Manager is:

\Program Files\ISS\SiteProtector\Agent Manager\Job_job_number


Table 19 describes the Agent Manager log files:


Agent Manager_ [email protected]





• copy of issDaemon.policy located at specified IP address








• copy of the Agent Manager status policy file (located at specified IP address) that details the Agent Manager control list and status information






Agent [email protected]




• generated file containing runtime debug information detailing interaction between sensor controller and Agent Manager



Table 19: Agent Manager log files

36

Sensor Controller Internet Scanner Logs

Sensor Controller Internet Scanner Logs

Introduction The path of the configuration and log files for the Internet Scanner located at the given IP address is \Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\[email protected].

Note: If the trace level is set to 0, and the job is completed, then the system deletes the Job folder.

Location of Internet Scanner job-specific log files

The path of the log files related to specific jobs for Internet Scanner is \Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\[email protected]. The files are located in subfolders according to the job name.

Description of Internet Scanner job-specific log files

Table 20 describes some of the available job-specific log files:


hosts.hst IP range of hosts to be scanned

iss.key license key that limits IP range that can be scanned

*.xml policy file used by Internet Scanner during scan

Table 20: Internet Scanner job-specific log files



Sensor Controller A-Series Appliance Logs

Introduction The A-Series appliance log files contain information related to the A-Series appliance located at the given IP address. The path of the log files is \Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\[email protected].

Note: If the trace level is set to 0, and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the A-Series appliance is:

\Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\Proventia_Amodel_number\Job_job_number


Table 21 describes the A-Series appliance log files:


[email protected]




[email protected]


• overwritten each time sensor controller restarts, but independent of logging level

[email protected]



[email protected]

• generated file containing runtime debug information



Table 21: A-Series appliance log files

38

Sensor Controller G-Series Appliance Logs

Sensor Controller G-Series Appliance Logs

Introduction The G-Series appliance log files contain information related to the G-Series appliance located at the given IP address. The path of the log files is \Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\[email protected].

Note: If the trace level is set to 0, and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the G-Series appliance is:

\Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\Proventia_Gmodel_number\Job_job_number


Table 22 describes the G-Series appliance log files:


[email protected]




[email protected]



[email protected]



[email protected]

• generated file containing runtime debug information



Table 22: G-Series appliance log files



Sensor Controller RealSecure Network Logs

Introduction The RealSecure Network log files contain information related to the RealSecure Network agent located at the given IP address. The path of the log files is \ProgramFiles\ISS\SiteProtector\Application Server\temp\Sensor Controller\[email protected].

Note: If the trace level is set to 0, and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the RealSecure Network agent is:



Table 23 describes the RealSecure Network agent log files:

Note: All logging is saved for successful jobs, unless the logging level is turned off.


[email protected]




[email protected]



[email protected]



[email protected]

• generated file containing runtime debug information detailing interaction between sensor controller and network sensor



Table 23: RealSecure Network agent log files

40

Sensor Controller RealSecure Network Gigabit Logs

Sensor Controller RealSecure Network Gigabit Logs

Introduction The RealSecure Network Gigabit log files contain information related to the RealSecure Network Gigabit agent located at the given IP address. The path of the log files is \Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\[email protected].

Note: If the trace level is set to 0, and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the RealSecure Network Gigabit is:



Table 24 describes the RealSecure Network Gigabit log files:


[email protected]




[email protected]



[email protected]


• contains sensor configuration info displayed in SiteProtector Console

[email protected]

• copy of daemon.policy located at specified IP address

• contains port, path, and configuration information for daemon

[email protected]

• generated file containing runtime debug information detailing interaction between sensor controller and network sensor



Table 24: RealSecure Network Gigabit log files



Sensor Controller Server Sensor Logs

Introduction The Server Sensor log files contain information related to the Server Sensor located at the given IP address. The path of the log files is \Program Files\ISS\SiteProtector\Application Server\temp\Sensor Controller\[email protected].

Note: If the trace level is set to 0, and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the RealSecure Server Sensor is:



Table 25 describes the Server Sensor log files:


[email protected]




[email protected]



[email protected]


• contains sensor configuration info displayed in SiteProtector Console

[email protected]

• copy of daemon.policy located at specified IP address

• contains port, path, and configuration information for daemon

[email protected]

• generated file containing runtime debug information detailing interaction between sensor controller and Server Sensor



Table 25: Server Sensor log files

42

Sensor Controller SiteProtector Third Party Module Logs

Sensor Controller SiteProtector Third Party Module Logs

Introduction The Third Party Module log files contain information related to the Third Party Module located at the given IP address. The paths to the log files are as follows:

CheckPoint log files Table 26 describes the CheckPoint Third Party Module log files:

Cisco PIX log files Table 27 describes the Cisco PIX Third Party Module log files:

Firewall Log file path

CheckPoint \ISS\issSensors\ThirdPartyModule_Checkpoint_1\Logs

Cisco PIX \ISS\issSensors\ThirdPartyModule_Cisco_1\Logs


sensor_health.policy • copy of current.policy located at specified IP address



LeaTraceLog.txt • generated file containing runtime debug information



TpmLog.txt

TPMTraceLog.txt

Table 26: CheckPoint Third Party Module log files


sensor_health.policy • copy of current.policy located at specified IP address



TpmLog.txt, • generated file containing runtime debug information



TPMTraceLog.txt

Table 27: Cisco PIX Third Party Module log files



44

SECTION D: Agent Manager Logging Information

Overview

Introduction This section lists SiteProtector logging information for components that are managed with the Agent Manager (formerly Desktop Controller).


Topic Page

Agent Manager Desktop Protection Logs 46

Desktop Controller M-Series Appliance Logs 48



Agent Manager Desktop Protection Logs

Introduction The Desktop Protection log files contain information related to the Agent Manager located at the given IP address. The path of the log files is \Program Files\ISS\SiteProtector\Agent Manager\Logs.

Note: The above path reflects a new install of SiteProtector 2.0, Service Pack 6. If you have upgraded from Service Pack 5.0 or 5.2, the path is: \Program Files\ISS\RealSecure SiteProtector\Desktop Controller\Logs

Logging levels If you are experiencing problems with your Agent Manager applications, you should adjust logging levels to help troubleshoot the issues. You set logging levels in the rsspdc.ini file, which is located in the following directory on the Agent Manager computer:

\Program Files\ISS\SiteProtector\Agent Manager

Setting and clearing logging levels

To set a logging level:

1. In the rsspdc.ini file, cut the logging level you want from the dcLog.clear line, and then paste it into the dcLog.set line.

To clear a logging level, cut it from the dcLog.set line, and then paste it into the dcLog.clear line.

2. Save, and then close the files.

3. From the SiteProtector Console, stop, and then start the Agent Manager service.

Important: ISS strongly recommends that you perform this procedure only with guidance from ISS Technical Support.

Logging level parameters

The following table lists the logging level parameters:

Logging level Description

EXCEPTION Error level logging including both fatal and non-fatal. These errors may indicate expected failure situations (such as connectivity loss or out of memory errors) or unexpected problems from the outside the Desktop Controller (such as malformed XML policies or unexpected events from agents).

ASSERTION Debug assertion logging that indicates a bug in the Desktop Controller code. These errors indicate abnormal conditions, and if seen, they should be reported to ISS Technical Support.

WARNING Warning logging for non-critical/recoverable conditions in the Desktop Controller, such as DB connectivity loss.

INFORMATION Information logging of general activity in the Desktop Controller.

HTTPRESPONSE Logging of HTTP response data to agents from the Desktop Controller.

HTTPEVENT Logging of incoming HTTP event/heartbeat data from agents.

FIREWALL Logging of firewall rule-setting during policy loading.

Table 28: Desktop Protection logging level parameters

46

Agent Manager Desktop Protection Logs

AGENTDOWNLOAD Logging of HTTP request information when agents download files from the Desktop Controller (including configuration files or upgrade packages).

WEBSERVER Logging of Web server activity in the Desktop Controller.

SYSMON General logging level for system type events, such as thread startup and shutdown.

ALERT Logging of alert/response information for SMTP, Pager, and SNMP alerts.

METRICS Traces incoming event counts.

VERBOSE Logging of repeated informational traces such as polling thread activity and policy/property file loading.

Logging level Description

Table 28: Desktop Protection logging level parameters



Desktop Controller M-Series Appliance Logs

Introduction The M-Series log file contains information related to the M-Series appliance located at the given IP address. The path to the log file is /var/log/messages.

Local Management Interface

The easiest way to access the log file is by using the Local Management Interface (LMI) on the M-Series appliance. For information about how to access the log file using the LMI, see the Proventia M-Series Appliances User Guide.

Description of log file

Table 29 describes the M-Series log file:

Log file parameter Description

Date/Time The date and time that the event was detected.

Event Type The type of event that was detected. The event types are:

• anti-virus

• firewall

• intrusion protection module

• system

Other event details Besides Date, Time, and Event Type, the following event information can be included in the M-Series log file:

• generated error message

• source/destination IP address

• source/destination port

• host name

Table 29: M-Series log file

48

®

Appendix

Appendix A

Database Schema

Overview

Introduction This appendix provides the SiteProtector database schematics.

In this appendix This appendix contains the following topics:

Topic Page

Application Security Schema 52

Asset Schema 53

Auditing and Diagnostics Schema 54

Command and Control Schema 55

Grouping Schema 56

ITRSO Schema 57

Mail Schema 58

Metrics Schema 59

Sensor Data Schema 60

Site Analysis Schema 61

Site Filters Schema 62

Staging and Rejects Schema 63

Statistics Schema 64

Ticketing Schema 65

X-Force Schema 66

Complete Database Schema 67


Appendix A: Database Schema

Application Security Schema

Schema The following diagram displays the Application Security Schema.

52

Asset Schema

Asset Schema

Schema The following diagram displays the Asset Schema:



Auditing and Diagnostics Schema

Schema The following diagram displays the Auditing and Diagnostics schema:

54

Command and Control Schema

Command and Control Schema

Schema The following diagram displays the Command and Control schema:



Grouping Schema

Schema The following diagram displays the Grouping schema:

56

ITRSO Schema

ITRSO Schema

Schema The following diagram displays the ITRSO schema:



Mail Schema

Schema The following diagram displays the Mail Schema:

58

Metrics Schema

Metrics Schema

Schema The following diagram displays the Metrics schema:



Sensor Data Schema

Schema The following diagram displays the Sensor Data schema:

60

Site Analysis Schema

Site Analysis Schema

Schema The following diagram displays the Site Analysis schema:



Site Filters Schema

Schema The following diagram displays the Site Filters schema:

62

Staging and Rejects Schema

Staging and Rejects Schema

Schema The following table displays the Staging and Rejects schema:



Statistics Schema

Schema The following diagram displays the Statistics schema:

64

Ticketing Schema

Ticketing Schema

Schema The following diagram displays the Ticketing Schema:



X-Force Schema

Schema The following diagram displays the X-force schema:

66

Complete Database Schema

Complete Database Schema

Schema The following diagram displays a high-level overview of the entire database schema:



68

Index

Web site 8
aActive Directory 25application server
debug logs 18–19

cconventions, typographical

in commands 7in procedures 7in this manual 7

ddebug logs

application server 18–19application server, log4j 29installation 21issDaemon 18See also Sensor Controller Diagnostics consolesensor controller 32–34sensor controller, log4j 29setting up 14SiteProtector database 20SiteProtector database, installation 22X-Press Update 23

Desktop Controllerlogs 46

eEvent Collector

debug logs 35

iinstallation

logs 21Internet Scanner

debug logs 37Internet Security Systems

technical support 8

Technical Reference Guide Version 2.0, SP6

llogging level

application server 18Desktop Protection 46sensor controler 32X-Press Update 23

logsdatabase 20Desktop Controller

Desktop Protection 46installation 21levels 29sensor controller 32

A-Series Appliance 38Desktop Controller 36event collector 15Gigabit network sensor 41G-Series Appliance 39Internet Scanner 37network sensor 40server sensor 42SiteProtector core 34SiteProtector database 33SiteProtector Third Party Module 43

viewing 15, 20, 22, 28X-Press Update 23

logs, debugSee debug logs

sschema

auditing and diagnostics 54command and control 55complete database schema 67grouping 55–56ITRSO 57metrics 59sensor data 60site analysis 61site filters 62staging and rejects 63

69

Index

statistics 64X-Force 66

sensor controllerdebug logs 32–34

Sensor Controller Diagnostics consolestarting 12

SiteProtectorThird Party Module 43

SiteProtector databasedebug logs 20installation logs 22

ttechnical support, Internet Security Systems 8typographical conventions 7

wWeb site, Internet Security Systems 8

xX-Press Updates

debug logs 23

70

Internet Security Systems, Inc. Software License Agreement THIS SOFTWARE PRODUCT IS PROVIDED IN OBJECT CODE AND IS LICENSED, NOT SOLD. BY INSTALLING, ACTIVATING, COPY-ING OR OTHERWISE USING THIS SOFTWARE PRODUCT, YOU AGREE TO ALL OF THE PROVISIONS OF THIS SOFTWARE LICENSE AGREEMENT (“LICENSE”). EXCEPT AS MAY BE MODIFIED BY AN APPLICABLE ISS LICENSE NOTIFICATION THAT ACCOMPANIES, PRECEDES, OR FOLLOWS THIS LICENSE, AND AS MAY FURTHER BE DEFINED IN THE USER DOCUMENTATION ACCOMPANYING THE SOFTWARE PRODUCT, YOUR RIGHTS AND OBLIGATIONS WITH RESPECT TO THE USE OF THIS SOFTWARE PRODUCT ARE AS SET FORTH BELOW. IF YOU ARE NOT WILLING TO BE BOUND BY THIS LICENSE, RETURN ALL COPIES OF THE SOFTWARE PRODUCT, INCLUDING ANY LICENSE KEYS, TO ISS WITHIN FIFTEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE. IF THE SOFTWARE PRODUCT WAS OBTAINED BY DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND ANY LICENSE KEYS IN LIEU OF RETURN. 1. License - Upon your payment of the applicable fees and ISS delivery to you of the applicable license notification, Internet Security Systems, Inc. (“ISS”) grants to

you as the only end user (“Licensee”) a nonexclusive and nontransferable, limited license for the accompanying ISS software product, the related documenta-tion, and any associated license key(s) (Software), for use only on the specific network configuration, for the number and type of devices, and for the time period (“Term”) that are specified in ISS quotation and Licensees purchase order, as accepted by ISS. ISS limits use of Software based upon the number of nodes, users and/or the number and type of devices upon which it may be installed, used, gather data from, or report on, depending upon the specific Software licensed. A device includes any network addressable device connected to Licensees network, including remotely, including but not limited to personal computers, worksta-tions, servers, routers, hubs and printers. A device may also include ISS hardware (each an Appliance) delivered with pre-installed Software and the license associated with such shall be a non-exclusive, nontransferable, limited license to use such pre-installed Software only in conjunction with the ISS hardware with which it is originally supplied and only during the usable life of such hardware. Except as provided in the immediately preceding sentence, Licensee may repro-duce, install and use the Software on multiple devices, provided that the total number and type are authorized by ISS. Licensee may make a reasonable number of backup copies of the Software solely for archival and disaster recovery purposes. In connection with certain Software products, ISS licenses security content on a subscription basis for a Term. Content subscriptions are licensed pursuant to this License based upon the number of protected nodes or number of users. Security content is regularly updated and includes, but is not limited to, Internet content (URLs) and spam signatures that ISS classifies, security algorithms, checks, decodes, and ISS related analysis of such information, all of which ISS regards as its confidential information and intellectual property. Security content may only be used in conjunction with the applicable Software in accordance with this License. The use or re-use of such content for commercial purposes is pro-hibited. Licensees access to the security content is through an Internet update using the Software. In addition, unknown URLs may be automatically forwarded to ISS through the Software, analyzed, classified, entered into ISS URL database and provided to Licensee as security content updates at regular intervals. ISS URL database is located at an ISS facility or as a mirrored version on Licensees premises. Any access by Licensee to the URL database that is not in conform-ance with this License is prohibited. Upon expiration of the security content subscription Term, unless Licensee renews such content subscription, Licensee shall implement appropriate system configuration modifications to terminate its use of the content subscription. Upon expiration of the license Term, Licensee shall cease using the Software and certify return or destruction of it upon request.

2. Migration Utilities - For Software ISS markets or sells as a Migration Utility, the following shall apply. Provided Licensee holds a valid license to the ISS Software to which the Migration Utility relates (the Original Software), ISS grants to Licensee as the only end user a nonexclusive and nontransferable, limited license to the Migration Utility and the related documentation (“Migration Utility”) for use only in connection with Licensees migration of the Original Software to the replace-ment software, as recommended by ISS in the related documentation. The Term of this License is for as long as Licensee holds a valid license to the applicable Original Software. Licensee may reproduce, install and use the Migration Utility on multiple devices in connection with its migration from the Original Software to the replacement software. Licensee shall implement appropriate safeguards and controls to prevent unlicensed use of the Migration Utility. Licensee may make a reasonable number of backup copies of the Migration Utility solely for archival and disaster recovery purposes.

3. Third-party Products - Use of third party product(s) supplied hereunder, if any, will be subject solely to the manufacturers terms and conditions that will be pro-vided to Licensee upon delivery. ISS will pass any third party product warranties through to Licensee to the extent authorized. If ISS supplies Licensee with Crys-tal Decisions Runtime Software, then the following additional terms apply: Licensee agrees not to alter, disassemble, decompile, translate, adapt or reverse-engineer the Runtime Software or the report file (.RPT) format, or to use, distribute or integrate the Runtime Software with any general-purpose report writing, data analysis or report delivery product or any other product that performs the same or similar functions as Crystal Decisions product offerings; Licensee agrees not to use the Software to create for distribution a product that converts the report file (.RPT) format to an alternative report file format used by any general-pur-pose report writing, data analysis or report delivery product that is not the property of Crystal Decisions; Licensee agrees not to use the Runtime Software on a rental or timesharing basis or to operate a service bureau facility for the benefit of third parties unless Licensee first acquires an Application Service Provider License from Crystal Decisions; CRYSTAL DECISIONS AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESS, OR IMPLIED, INCLUDING WITH-OUT LIMITATION THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. CRYSTAL DECISIONS AND ITS SUPPLIERS SHALL HAVE NO LIABILITY WHATSOEVER UNDER THIS AGREEMENT OR IN CONNECTION WITH THE SOFTWARE. In this section 3 Software means the Crystal Reports software and associated documentation supplied by ISS and any updates, addi-tional modules, or additional software provided by Crystal Decisions in connection therewith; it includes Crystal Decisions Design Tools, Report Application Server and Runtime Software, but does not include any promotional software or other software products provided in the same package, which shall be governed by the online software license agreements included with such promotional software or software product.

4. Beta License - If ISS is providing Licensee with the Software, security content and related documentation, and/or an Appliance as a part of an alpha or beta test, the following terms of this Section 4 additionally apply and supercede any conflicting provisions herein or any other license agreement accompanying, contained or embedded in the subject prototype product or any associated documentation. ISS grants to Licensee a nonexclusive, nontransferable, limited license to use the ISS alpha/beta software program, security content, if any, Appliance and any related documentation furnished by ISS (Beta Products) for Licensees evalua-tion and comment (the “Beta License”) during the Test Period. ISS standard test cycle, which may be extended at ISS discretion, extends for sixty (60) days, commencing on the date of delivery of the Beta Products (the “Test Period”). Upon expiration of the Test Period or termination of the Beta License, Licensee shall, within thirty (30) days, return to ISS or destroy all copies of the beta Software, and shall furnish ISS written confirmation of such return or destruction upon request. If ISS provides Licensee a beta Appliance, Licensee agrees to discontinue use of and return such Appliance to ISS upon ISS request and direction. If Licensee does not promptly comply with this request, ISS may, in its sole discretion, invoice Licensee in accordance with ISS current policies. Licensee will pro-vide ISS information reasonably requested by ISS regarding Licensee’s experiences with the installation and operation of the Beta Products. Licensee agrees that ISS shall have the right to use, in any manner and for any purpose, any information gained as a result of Licensees use and evaluation of the Beta Products. Such information shall include but not be limited to changes, modifications and corrections to the Beta Products. Licensee grants to ISS a perpetual, royalty-free, non-exclusive, transferable, sublicensable right and license to use, copy, make derivative works of and distribute any report, test result, suggestion or other item resulting from Licensee’s evaluation of its installation and operation of the Beta Products. LICENSEE AGREES NOT TO EXPORT BETA PRODUCTS DESIG-NATED BY ISS IN ITS BETA PRODUCT DOCUMENTATION AS NOT YET CLASSIFIED FOR EXPORT TO ANY DESTINATION OTHER THAN THE U.S. AND THOSE COUNTRIES ELIGIBLE FOR EXPORT UNDER THE PROVISIONS OF 15 CFR 740.17(A) (SUPPLEMENT 3), CURRENTLY CANADA, THE EUROPEAN UNION, AUSTRALIA, JAPAN, NEW ZEALAND, NORWAY, AND SWITZERLAND. If Licensee is ever held or deemed to be the owner of any copyright rights in the Beta Products or any changes, modifications or corrections to the Beta Products, then Licensee hereby irrevocably assigns to ISS all such rights, title and interest and agrees to execute all documents necessary to implement and confirm the letter and intent of this Section. Licensee acknowledges and agrees that the Beta Products (including its existence, nature and specific features) constitute Confidential Information as defined in Section 18. Licensee further agrees to treat as Confidential Information all feedback, reports, test results, suggestions, and other items resulting from Licensee’s evaluation and testing of the Beta Products as contemplated in this Agreement. With regard to the Beta Products, ISS has no obligation to provide support, maintenance, upgrades, modifications, or new releases. However, ISS agrees to use its reasonable efforts to correct errors in the Beta Products and related documentation within a rea-sonable time, and will provide Licensee with any corrections it makes available to other evaluation participants. The documentation relating to the Beta Products may be in draft form and will, in many cases, be incomplete. Owing to the experimental nature of the Beta Products, Licensee is advised not to rely exclusively on the Beta Products for any reason. LICENSEE AGREES THAT THE BETA PRODUCTS AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WAR-RANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. LICENSEE ACKNOWLEDGES AND AGREES THAT THE BETA PRODUCT MAY CONTAIN DEFECTS, PRODUCE ERRONEOUS AND UNINTENDED RESULTS AND MAY AFFECT DATA NETWORK SERVICES AND OTHER MATERIALS OF LICENSEE. LICENSEES USE OF THE BETA PRODUCT IS AT THE SOLE RISK OF LICENSEE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE BETA PRODUCT LICENSE BY WRITTEN NOTICE TO ISS.

5. Evaluation License - If ISS is providing Licensee with the Software, security content and related documentation on an evaluation trial basis at no cost, such license Term is 30 days from installation, unless a longer period is agreed to in writing by ISS. ISS recommends using Software and security content for evalua-tion in a non-production, test environment. The following terms of this Section 5 additionally apply and supercede any conflicting provisions herein. Licensee agrees to remove or disable the Software and security content from the authorized platform and return the Software, security content and documentation to ISS upon expiration of the evaluation Term unless otherwise agreed by the parties in writing. ISS has no obligation to provide support, maintenance, upgrades, mod-ifications, or new releases to the Software or security content under evaluation. LICENSEE AGREES THAT THE EVALUATION SOFTWARE, SECURITY CONTENT AND RELATED DOCUMENTATION ARE BEING DELIVERED AS IS FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRAN-TIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF

ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEES SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE EVALUA-TION LICENSE BY WRITTEN NOTICE TO ISS.

6. Covenants - ISS reserves all intellectual property rights in the Software, security content and Beta Products. Licensee agrees: (i) the Software, security content or Beta Products is owned by ISS and/or its licensors, is a valuable trade secret of ISS, and is protected by copyright laws and international treaty provisions; (ii) to take all reasonable precautions to protect the Software, security content or Beta Product from unauthorized access, disclosure, copying or use; (iii) not to mod-ify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code of the Software, security content or Beta Prod-uct; (iv) not to use ISS trademarks; (v) to reproduce all of ISS and its licensors copyright notices on any copies of the Software, security content or Beta Product; and (vi) not to transfer, lease, assign, sublicense, or distribute the Software, security content or Beta Product or make it available for time-sharing, service bureau, managed services offering, or on-line use.

7. Support and Maintenance - Depending upon what maintenance programs Licensee has purchased, ISS will provide maintenance, during the period for which Licensee has paid the applicable maintenance fees, in accordance with its prevailing Maintenance and Support Policy that is available at http://docu-ments.iss.net/maintenance_policy.pdf. Any supplemental Software code or related materials that ISS provides to Licensee as part of any support and mainte-nance service are to be considered part of the Software and are subject to the terms and conditions of this License, unless otherwise specified.

8. Limited Warranty - The commencement date of this limited warranty is the date on which ISS provides Licensee with access to the Software. For a period of ninety (90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Software or security content will conform to material operational specifications described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software or security content is installed, implemented, and operated in accordance with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any nonconformity within the warranty period, and (iii) Licensee has promptly and properly installed all corrections, new versions, and updates made available by ISS to Licensee. Furthermore, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software or security content, (ii) modification of the Software or security content, (iii) failure by Licensee to utilize compatible computer and networking hardware and software, or (iv) interac-tion with software or firmware not provided by ISS. If Licensee timely notifies ISS in writing of any such nonconformity, then ISS shall repair or replace the Soft-ware or security content or, if ISS determines that repair or replacement is impractical, ISS may terminate the applicable licenses and refund the applicable license fees, as the sole and exclusive remedies of Licensee for such nonconformity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND LICENSEE MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFT-WARE OR THE SECURITY CONTENT WILL MEET LICENSEE’S REQUIREMENTS, THAT THE OPERATION OF THE SOFTWARE OR SECURITY CON-TENT WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE OR SECURITY CONTENT ERRORS WILL BE CORRECTED. LICENSEE UNDERSTANDS AND AGREES THAT THE SOFTWARE AND THE SECURITY CONTENT ARE NO GUARANTEE AGAINST UNSOLICITED E-MAILS, UNDESIRABLE INTERNET CONTENT, INTRUSIONS, VIRUSES, TROJAN HORSES, WORMS, TIME BOMBS, CANCELBOTS OR OTHER SIMI-LAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE’S NETWORK, OR THAT ALL SECURITY THREATS AND VUL-NERABILITIES, UNSOLICITED E-MAILS OR UNDESIRABLE INTERNET CONTENT WILL BE DETECTED OR THAT THE PERFORMANCE OF THE SOFTWARE AND SECURITY CONTENT WILL RENDER LICENSEES SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT IN THIS SECTION 8 ARE THE SOLE AND EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY.

9. Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE AND SECURITY CONTENT ARE EACH PROVIDED AS IS AND ISS HEREBY DISCLAIMS ALL WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MER-CHANTABILITY, TITLE, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO REPRESENTATIONS OTHER THAN THOSE CONTAINED IN THIS LICENSE HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PRO-VIDED HEREUNDER, AND THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE.

10. Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software and security content that are granted herein. ISS shall defend and indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright, trade secret, or patent as a result of the use or distribution of a current, unmodified version of the Software and security content, but only if ISS is promptly noti-fied in writing of any such suit or claim, and only if Licensee permits ISS to defend, compromise, or settle same, and only if Licensee provides all available infor-mation and reasonable assistance. In any such suit, if the use of the alleged infringing intellectual property is held to constitute an infringement and is enjoined, or if in light of any claim, ISS deems it reasonably advisable to do so, ISS may at ISS sole option: (i) procure the right to continue the use of such Software and security content for Licensee; (ii) replace or modify such Software and security content in a manner such that such Software and security content are free of the infringement claim; or (iii) require Licensee to return the same to ISS and ISS shall refund the fees paid for the affected Software, security content or portion thereof, less amortization for use (A) on a straight line basis over a period of three (3) years from the effective date of the applicable order for a perpetual license, or (B) on a straight line basis over the subscription term for a term license. The foregoing is the exclusive remedy of Licensee and states the entire liability of ISS with respect to claims of infringement or misappropriation relating to the Software and security content.

11. Limitation of Liability - ISS’ ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL BE LIMITED TO THE AMOUNT OF THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR TERM FROM THE DATE LICENSEE RECEIVED THE SOFTWARE. OR SECURITY CONTENT, AS APPLICABLE, IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY INCLUDING CONTRACT AND TORT (INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCI-DENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, DAMAGES FOR LOST PROFITS, LOSS OF DATA, LOSS OF USE, OR COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12. Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, without prior written notice from ISS, at the end of the term of the License, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may imme-diately terminate this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or expiration of a license for Software, Licensee shall cease all use of such Software, including Software pre-installed on ISS hardware, and destroy all copies of the Software and associated documentation. Termination of this License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall not limit either party from pursuing any other remedies available to it.

13. General Provisions - This License, together with the identification of the Software and/or security content, pricing and payment terms stated in the applicable ISS quotation and Licensee purchase order (if applicable) as accepted by ISS, constitute the entire agreement between the parties respecting its subject matter. Standard and other additional terms or conditions contained in any purchase order or similar document are hereby expressly rejected and shall have no force or effect. If Licensee has not already downloaded the Software, security content and documentation, then it is available for download at http://www.iss.net/down-load/. All ISS hardware with pre-installed Software and any other products not delivered by download are delivered f.o.b. origin. This License will be governed by the substantive laws of the State of Georgia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded. If any part of this License is found void or unenforce-able, it will not affect the validity of the balance of the License, which shall remain valid and enforceable according to its terms. This License may only be modified in writing signed by an authorized officer of ISS.

14. Notice to United States Government End Users - Licensee acknowledges that any Software and security content furnished under this License is commercial computer software and any documentation is commercial technical data developed at private expense and is provided with RESTRICTED RIGHTS. Any use, modification, reproduction, display, release, duplication or disclosure of this commercial computer software by the United States Government or its agencies is subject to the terms, conditions and restrictions of this License in accordance with the United States Federal Acquisition Regulations at 48 C.F.R. Section 12.212 and DFAR Subsection 227.7202-3 and Clause 252.227-7015 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc., 6303 Barfield Road, Atlanta, GA 30328, USA.

15. Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, security content, Beta Products, any related technol-ogy, or any direct product of either except in full compliance with the export controls administered by the United States and other countries and any applicable import and use restrictions. Licensee agrees that it will not export or reexport such items to anyone on the U.S. Treasury Department’s list of Specially Desig-nated Nationals or the U.S. Commerce Department’s Denied Persons List or Entity List or such additional lists as may be issued by the U.S. Government from time to time, or to any country to which the United States has embargoed the export of goods or for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles. Licensee represents and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list. Many ISS software products include encryption and export outside of the United States or Canada is strictly controlled by U.S. laws and regulations. ISS makes its current export classification information available at http://www.iss.net/export. Please contact ISS’ Sourcing and Fulfillment for export questions relating to the Software or security content ([email protected]). Licensee understands that the foregoing obligations are U.S. legal requirements and agrees that they shall sur-vive any term or termination of this License.

16. Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that com-puter network; (b) the Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and use the Software in accordance with all applicable laws, regulations and rules.

17. Disclaimers - Licensee acknowledges that some of the Software and security content is designed to test the security of computer networks and may disclose or create problems in the operation of the systems tested. Licensee further acknowledges that neither the Software nor security content is fault tolerant or designed or intended for use in hazardous environments requiring fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems, nuclear facilities, or any other applications in which the failure of the Software and security content could lead to death or personal

injury, or severe physical or property damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the foregoing disclaimers and hereby waives all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom.

18. Confidentiality - “Confidential Information” means all information proprietary to a party or its suppliers that is marked as confidential. Each party acknowledges that during the term of this Agreement, it will be exposed to Confidential Information of the other party. The obligations of the party (“Receiving Party”) which receives Confidential Information of the other party (“Disclosing Party”) with respect to any particular portion of the Disclosing Party’s Confidential Information shall not attach or shall terminate when any of the following occurs: (i) it was in the public domain or generally available to the public at the time of disclosure to the Receiving Party, (ii) it entered the public domain or became generally available to the public through no fault of the Receiving Party subsequent to the time of disclosure to the Receiving Party, (iii) it was or is furnished to the Receiving Party by a third parting having the right to furnish it with no obligation of confidentiality to the Disclosing Party, or (iv) it was independently developed by the Receiving Party by individuals not having access to the Confidential Information of the Dis-closing Party. Each party acknowledges that the use or disclosure of Confidential Information of the Disclosing Party in violation of this License could severely and irreparably damage the economic interests of the Disclosing Party. The Receiving Party agrees not to disclose or use any Confidential Information of the Disclosing Party in violation of this License and to use Confidential Information of the Disclosing Party solely for the purposes of this License. Upon demand by the Disclosing Party and, in any event, upon expiration or termination of this License, the Receiving Party shall return to the Disclosing Party all copies of the Dis-closing Party’s Confidential Information in the Receiving Party’s possession or control and destroy all derivatives and other vestiges of the Disclosing Party’s Confidential Information obtained or created by the Disclosing Party. All Confidential Information of the Disclosing Party shall remain the exclusive property of the Disclosing Party.

19. Compliance - From time to time, ISS may request Licensee to provide a certification that the Software and security content is being used in accordance with the terms of this License. If so requested, Licensee shall verify its compliance and deliver its certification within forty-five (45) days of the request. The certification shall state Licensees compliance or non-compliance, including the extent of any non-compliance. ISS may also, at any time, upon thirty (30) days prior written notice, at its own expense appoint a nationally recognized software use auditor, to whom Licensee has no reasonable objection, to audit and examine use and records at Licensee offices during normal business hours, solely for the purpose of confirming that Licensees use of the Software and security content is in com-pliance with the terms of this License. ISS will use commercially reasonable efforts to have such audit conducted in a manner such that it will not unreasonably interfere with the normal business operations of Licensee. If such audit should reveal that use of the Software or security content has been expanded beyond the scope of use and/or the number of authorized devices or Licensee certifies such non-compliance, ISS shall have the right to charge Licensee the applicable current list prices required to bring Licensee in compliance with its obligations hereunder with respect to its current use of the Software and security content. In addition to the foregoing, ISS may pursue any other rights and remedies it may have at law, in equity or under this License.

20. Data Protection - The data needed to process this transaction will be stored by ISS and may be forwarded to companies affiliated with ISS and possibly to Lic-ensees vendor within the framework of processing Licensees order. All personal data will be treated confidentially.

Revised October 7, 2005.